OpenID Logout. I just need authentication not login to OpenID Provider?

People apparently fail to see the question in your question, so I repeat it here just for clarity (and with a question mark).

Up vote 4 down vote favorite 1 share g+ share fb share tw.

Started with this question: stackoverflow.com/questions/1385082/open... OK. So OpenID does not have single logout. I can see the uses but there are some situations that worry me: Single signon on is great for mobile devices and your personal computer.

You sign on once and probably never need to sign out again (just authenticating with new sites as you go). But if I am on a public computer (airport, or even a work computer) this is a problem. When I sign into a website using openID I am signing into two different places and that is not obvious.

I sign-onto a website (stackoverflow for example using gmail account) but at the same time I have just signed into gmail (OpenID Provider). When I sign out of stackoverflow I am still singed into gmail (OpenID Provider). When I authenticate with gmail I don't want to login into gmail I just want to authenticate.

A hack around this is to have the logout flow log me out of gmail at the same time, but as noted on the last post, if I log out of stackoverflow I don't necessarily want to logout of gmail if I am at home. So the question really is: Is there a way to authenticate with these OpenID providers without logging on. Because even sites like stack overflow, they do not log you out when you logout of the OpenID provider you authenticated with.

If you have gmail account I can log in and out all day without affecting if stackoverflow is logged in. Php authentication openid logout link|improve this question edited Sep 6 '09 at 17:19 asked Sep 6 '09 at 17:04Loki Astari69.6k779198 91% accept rate.

I believe that the answer to this question is "no" (as blowdart elaborates).

If the protocol doesn't support it (and it doesn't) then there's nothing you can do here, aside from delete all your cookies once you're done, which would clear the cookie which logs you into your provider and the ones that log you into services. As an aside an OpenID provider doesn't have to provide you with a persistent cookie, or even a session cookie which keeps you logged into your OpenID account, it could authenticate you once for itself, then sent the authentication token onwards. If you're worried about being logged into Gmail when you use OpenID then choose another OpenID provider.

But how is this a question?

Is there a way to authenticate with these OpenID providers without logging on. – Loki Astari Sep 6 '09 at 17:51 Well you have to logon to get a token to send to the relying party, what you want is it to not persist your logon at your provider. And that's down to the provider, not random folks on stackoverflow.

– blowdart Sep 6 '09 at 18:27 That's my point. I would like my site to authenticate with google, but without affecting the state of gmail with the client. I don't want what the user does on my site to affect their state on other sites (unless the user wants to do that but that has nothing to do with my site).

– Loki Astari Sep 6 '09 at 18:36 1 Then you'll need to get every OpenID provider to change how they work. Good luck with that. – blowdart Sep 6 '09 at 18:37.

The short answer is yes, in practice, by choosing a reasonable OpenID provider. The long answer is that this is a question about your OpenID provider, not OpenID itself. OpenID only handles authentication.

Session support (and related concepts such as logging in or out) is outside of the OpenID spec. Your OpenID provider may keep a session for you (probably with a browser cookie). Any reasonable provider will not do this unless you indicate ("remember me when logging into stackoverflow.com").

The OpenID consumer (such as StackOverflow) may keep a session for you as well. There is nothing you can do about this, but this is true for any authentication scheme, whether 3rd party or direct. Because the 3rd-party aspects of OpenID are well designed, it is easy to avoid logging in in practice, by choosing a reasonable provider, or better yet, by using a HTML page as your claimed identity, which delegates to a provider which you can change if you decide to switch.

OpenID doesn't specify if provider should create a login session for themselves but almost all of them do. So there is no option to just authenticate RP without leaving a session in OP. If you really want to authenticate without leaving a session, you can do it with other protocols.

Just about every OP provides a proprietary protocol to login with username/password. For example, Google has ClientAuth and AOL has directLogin. This is so called password anti-pattern.

It creates some privacy concerns because you collect Google password on your site. I am not recommending it in anyway.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.